The Witchcraft Compiler Collection (WCC)

Towards Self Aware Computer Programs
(World class reverse engineering framework)

Advances in REVERSE ENGINEERING of BINARY programs


With this presentation, we take a new approach to reverse engineering. Instead of attempting to decompile code, we seek to undo the work of the linker and produce relocatable files, the typical output of a compiler. The main benefit of the later technique over the former being that it does work. Once achieved universal code ‘reuse’ by relinking those relocatable objects as arbitrary shared libraries, we'll create a form of binary reflection, add scripting capabilities and in memory debugging using a JIT compiler, to attain automated API prototyping and annotation, which, we will argue, constitutes a primary form of binary code self-awareness. Finally, we'll see how abusing the dynamic linker internals shall elegantly solve a number of complex tasks for us, such as calling a given function within a binary without having to craft a valid input to reach it. The applications in terms of vulnerability exploitation, functional testing, static analysis validation and more generally computer wizardry being tremendous, we'll have fun demoing some new exploits in real life applications, and commit public program profanity, such as turning PEs into ELFs, functional scripting of sshd in memory, stealing crypto routines without even disassembling them, among other things that were never supposed to work. All the above techniques have been implemented into the Wichcraft Compiler Collection, released as open source software (MIT/BSD-2 licenses).

WCC Resources
Mission

DEF CON 24 - Presentation

Witchcraft Resources

Towards Self Aware Computer Programs
(World class reverse engineering framework)

SMB v2

Sharing more than your files
(World's first exploits against Windows 10 and Microsoft Edge)

World's First exploits against windows 10 and microsoft EDGE


In this presentation, we detail a new attack vector against SMBv2, affecting all versions of IE, including the Spartan version shipped with Windows10. While attacks involving SMB have long time been common in LANs, our attack allows complete user compromise from the internet. By leveraging a series of bugs and malfunctions, we'll see how remote credentials theft or user impersonation can be performed without user interaction, extremely reliably, and from the Internet.

SMBv2 Resources
Mission

Blackhat USA 2015 - Presentation

SMB Resources

SMBv2 : Sharing more than your files
(World's first exploits against Windows 10 and Microsoft Edge)

First Windows 10 exploit

First Windows 10 exploit

Dark Readings article on our Blackhat presentation. Read here.

First Edge exploit

Whitepaper

The original whitepaper is archived on the Blackhat website. The latest version is available on slideshare.

Blackhat slides

Slides

The material of our presentation is available here.

Filecry (Co-Author)

The new age of XXE
(Remote exploits against Microsoft Internet Explorer)

Filecry : Internet explorer CVE-2015-1646 and MS15-039


Xml eXternal Entities (XXE) is one of the deadliest vulnerabilities on the Internet, and we will demonstrate how critical enterprise software packages are still vulnerable to these attacks today. In this action-packed presentation, we will demonstrate two 0-day vulnerabilities we identified in both popular server (Java) and client-side (Internet Explorer) technologies. The first vulnerability can be exploited with an attacker-controlled XML leading to arbitrary file ex-filtration on a target server even with all the Java protections enabled. The second vulnerability allows an attacker to steal both arbitrary files on the local hard drive and secret information across origins with a malicious webpage. Therefore, effectively bypassing the Same Origin Policy and breaching the web-local separation. Both exploits are reliable and do not depend on memory corruptions.

Filecry Resources
FileCry Resources

Filecry Resources

The new age of XXE
(Remote exploits against Microsoft Internet Exlporer)

MS15-039/CVE-2015-1646

Advisory MS15-039 and CVE-2015-1646

The Microsoft security bulletin for MS15-039 (Important) is available on the Microsoft website.

First Edge exploit

Whitepaper

The original whitepaper is archived on the Blackhat website. The latest version is available on slideshare.

Blackhat slides

Slides

The material of our presentation is available here.

JAVA JDK Defenseless against XML Parsers (Co-Author)

The new age of XXE
(Remote Oracle Java exploits)

JDK Defenseless against XML Parsers


Xml eXternal Entities (XXE) is one of the deadliest vulnerabilities on the Internet, and we will demonstrate how critical enterprise software packages are still vulnerable to these attacks today. In this action-packed presentation, we will demonstrate two 0-day vulnerabilities we identified in both popular server (Java) and client-side (Internet Explorer) technologies. The first vulnerability can be exploited with an attacker-controlled XML leading to arbitrary file ex-filtration on a target server even with all the Java protections enabled. The second vulnerability allows an attacker to steal both arbitrary files on the local hard drive and secret information across origins with a malicious webpage. Therefore, effectively bypassing the Same Origin Policy and breaching the web-local separation. Both exploits are reliable and do not depend on memory corruptions.

XXE Java Resources
XXE Java Resources

JAVA XXE Resources

The new age of XXE
(Remote Oracle Java exploits)

CVE-2017-18197

Advisories

The security bulletin for CVE-2017-18197 is available on the MITRE website.

The security bulletin for CVE-2017-7503 is available on the MITRE website.

The security bulletin for CVE-2015-0408 is available on the MITRE website.

First Edge exploit

Whitepaper

The original whitepaper is archived on the Blackhat website. The latest version is available on slideshare.

Blackhat slides

Slides

The material of our presentation is available here.

Rakshasa

Hardware Backdooring is Practical
(The World's FIRST Public Firmware Backdoor)

Rakshasa Hardware Backdooring is Practical


This presentation will demonstrate that permanent backdooring of hardware is practical. We have built a generic proof of concept malware for the intel architecture, Rakshasa, capable of infecting more than a hundred of different motherboards. The first net effect of Rakshasa is to disable NX permanently and remove SMM related fixes from the BIOS, resulting in permanent lowering of the security of the backdoored computer, even after complete erasing of hard disks and reinstallations of a new operating system. We shall also demonstrate that pre-existing work on MBR subversions such as bootkiting and preboot authentication software brute force can be embedded in Rakshasa with little effort. More over, Rakshasa is built on top of free software, including the Coreboot project, meaning that most of its source code is already public. This presentation will take a deep dive into Coreboot and hardware components such as the BIOS, CMOS and PIC embedded on the motherboard, before detailing the inner workings of Rakshasa and demo its capabilities. It is hoped to raise awareness of the security community regarding the dangers associated with non open source firmware shipped with any computer and question their integrity. This shall also result in upgrading the best practices for forensics and post intrusion analysis by including the afore mentioned firmware as part of their scope of work.

Rakshasa Resources
FileCry Resources

DEF CON 20 - Presentation

Rakshasa Resources

Hardware Backdooring is Practical
(The World's FIRST Public Firmware Backdoor)

World's first Firmware Backdoor

The world's first Hardware Backdoor

Wikipedia describes Rakshasa as the first public demonstration of a permanent firmware backdoor.

First Edge exploit

Whitepaper

The original slides are archived on the DEF CON website. The latest version is available on slideshare (190 000+ views).

Blackhat slides

MIT Technology Review

Rakshasa has been featured in the MIT Technology review as a backdoor "Undetectable and Uncurable".

Blackhat slides

Forbes Review

Forbes published an article outlining the disruptive innovations behind Rakshasa.

Blackhat slides

Slides

Download the Slides of Rakshasa's presentation at Blackhat USA 2012.

Blackhat slides

Blackhat Presentation

Attend Rakshasa's presentation with this video from Blackhat USA 2012.

PMCMA

Post Memory Corruption Memory Analysis
(Automating exploitation of arbitrary writes)

PMCMA Post Memory Corruption Memory Analysis


In this presentation, we introduce a new exploitation methodology of invalid memory reads and writes, based on dataflow analysis after a memory corruption bug has occurred inside a running process.
We will expose a methodology which shall help writting a reliable exploit out of a PoC triggering an invalid memory write, in presence of security defense mechanisme such as compiler enhancements (full RELRO, SSP...), or kernel anti exploitation features (ASLR, NX...).
We will demonstrate how to find all the function pointers inside a running process, how to determine which ones would have been de-referenced after the crash, which ones are truncable (in particular with 0x00000000). In case all of the above fail, how to test for specific locations overwrites in order to indirectly trigger a second vulnerability allowing greater control and eventually control flow hijacking. All of the above without source code, indeed.
In the case of invalid memory reads, we will exemplify how indirectly influence the control flow of execution by reading arbitrary values, how to trace all the unaligned memory access and how to test if an invalid read can be turned into an invalid write or used to infer the mapping of the binary. We will also introduce a new debugging technique which allows for very effective testing of all of the above by forcing the debugged process to fork(). Automatically. And with a rating of the best read/write location based on probabilities of mapping addresses (because of ASLR).
Finally, since overwriting function pointers doesn't allow direct shellcode execution because of W^X mappings, we introduce a new exploitation technique which works even in the most hardcore kernels such as grsecurity. IT is called "stack desynchronization" and allows frame faking inside the stack itself.
Those techniques are implemented in the form of a proof of concept tool running under x86 GNU/Linux available as open source : here.

PMCMA Resources
PMCMA Resources

Blackhat 2011 - Presentation

PMCMA Resources

Post Memory Corruption Memory Analysis
(Automating exploitation of arbitrary writes)

PMCMA source code

Source Code

The PMCMA debugger is free software (Apache License) and is available on github.

First Edge exploit

Whitepaper

The original whitepaper is archived on the Blackhat website. The latest version is available on slideshare.

Blackhat slides

Slides

Download the Slides of PMCMA's presentation from the archives of Blackhat USA 2011.

CCC 28c3 - Presentation

Breaking Virtualization

By switching the cpu to 8086 mode

Breaking Virtualization By switching the cpu to 8086 mode


In the last 5 years, virtualization software has been massively adopted by companies as a mean to reduce costs, achieve instant scalability, and possibly better their security through isolation. Recent numbers indicate that 78 percent of companies have their production servers virtualized, and 20 percent of them actually only rely on virtualized servers. At the same time, security auditing of such software poses unique challenges, in particular when it comes to dynamic testing. In this paper, we describe a methodology for the security assessment of virtualization software based on switching the CPU mode to virtual 8086 mode in order to get access to the (possibly virtualized) hardware, that aims at being both generic (applicable to both x86 and x64 architectures) and extremely large in terms of code coverage. We have implemented this technology under the form of a dynamic testing tool which has proved to be very efficient in finding bugs in virtualization software.

Breaking Virtualization Resources
Breaking Virtualization Resources

Hack in the Box - Presentation

Breaking Virtualization Resources

By switching the cpu to 8086 mode

HITB Amsterdam slides

HITB Amsterdam Slides

Download the Slides of this presentation from the archives of HITB Asmterdam website.

HITB slides

Ruxcon Slides

Download the Slides of this presentation from the archives of Ruxcon website.

HITB Kuala Lumpur slides

HITB Kuala Lumpur Slides

Download the Slides of this presentation from the archives of HITB Kuala Lumpur website.

Bypassing Pre-Boot Authentication Passwords By Instrumenting The BIOS Keyboard Buffer

(Practical Low Level Attacks Against x86 Pre-Boot Authentication Software)

Bypassing Pre-Boot Authentication Passwords By Instrumenting The BIOS Keyboard Buffer


Pre-boot authentication software, in particular full hard disk encryption software, play a key role in preventing information theft. In this paper, we present a new class of vulnerabilities affecting multiple high value pre-boot authentication software, including the latest Microsoft disk encryption technology : Microsoft Vista's Bitlocker, with TPM chip enabled. Because Pre-boot authentication software programmers commonly make wrong assumptions about the inner workings of the BIOS interruptions responsible for handling keyboard input, they typically use the BIOS API without flushing or initializing the BIOS internal keyboard buffer. Therefore, any user input including plain text passwords remains in memory at a given physical location. In this article, we first present a detailed analysis of this new class of vulnerabilities and generic exploits for Windows and Unix platforms under x86 architectures. Unlike current academic researches aiming at extracting information from the RAM, our practical methodology does not require any physical access to the computer to extract plain text passwords from the physical memory. In a second part, we will present how this information leakage combined with usage of the BIOS API without careful initialization of the BIOS keyboard buffer can lead to computer reboot without console access and full security bypass of the pre-boot authentication pin if an attacker has enough privileges to modify the bootloader. Other related work includes information leakage from CPU caches, reading physical memory thanks to firewire and switching CPU modes.

PreBoot Authentication Bypass Resources
PreBoot Authentication Bypass Resources

Bypassing Pre-Boot Authentication Passwords By Instrumenting The BIOS Keyboard Buffer Resources

(Practical Low Level Attacks Against x86 Pre-Boot Authentication Software)

DEF CON 16 Audio

DEF CON 16 Audio

The audio recordings of the presentation are available from the DEF CON archives.

HITB slides

CODE

All of the exploits presented during the conference are available from a single zip archive (Kernel exploits, user land assembly exploits, SploitOS.asm).

DEF CON 16 slides

Slides

The slides of the presentation are available on slideshare.

DEF CON 16 Whitepaper

Whitepaper

The technical whitepaper of this presentation is available here.

Bitlocker Advisory

Bitlocker Advisory

The advisory for vulnerability CVE-2008-3893 affecting Microsoft Bitlocker is available here.

TrueCrypt Advisory

TrueCrypt Advisory

The advisory for vulnerability CVE-2008-3899 affecting TrueCrypt is available here.

All previous Publications

DEFCON 24 Witchcraft Compiler Collection

DEFCON 24 Witchcraft Compiler Collection

DEFCON 24 Witchcraft Compiler Collection

Bypassing Preboot Authentication Passwords

DEFCON 16 - BIOS: Bypassing Preboot Authentication Passwords

DEFCON 16 - BIOS: Bypassing Preboot Authentication Passwords

28c3 Chaos Computer Conference

28c3 Chaos Computer Conference

28c3 Chaos Computer Conference

BIOS Information leakage

BIOS Information leakage

BIOS Information leakage

Blackhat 2015 SMB Sharing More than your files

Blackhat 2015 SMB Sharing More than your files

Blackhat 2015 SMB Sharing More than your files

INTEL iSEC 2016

INTEL iSEC 2016

INTEL iSEC 2016

Blackhat 2015 SMBv2 Sharing More Than Just Your Files

Blackhat 2015 SMBv2 Sharing More Than Just Your Files

Blackhat 2015 SMBv2 Sharing More Than Just Your Files

INTEL iSEC 2012

INTEL iSEC 2012

INTEL iSEC 2012

Ruxmon 2012 Reverse Engineering Proprietary Protocols

Ruxmon 2012 Reverse Engineering Proprietary Protocols

Ruxmon 2012 Reverse Engineering Proprietary Protocols

SYSCAN 2013

SYSCAN 2013

SYSCAN 2013

Shakacon 2017 Silent Protest

Shakacon 2017 Silent Protest

Shakacon 2017 Silent Protest

Blackhat 2015 XXE Defenseless JDK XML Parsers JAVA

Blackhat 2015 XXE Defenseless JDK XML Parsers JAVA

Blackhat 2015 XXE Defenseless JDK XML Parsers JAVA

Blackhat Europe 2016 Witchcraft Compiler Collection-Towards Self Aware Computer Programs-wp

Blackhat Europe 2016 Witchcraft Compiler Collection-Towards Self Aware Computer Programs-wp

Blackhat Europe 2016 Witchcraft Compiler Collection-Towards Self Aware Computer Programs-wp

Blackhat USA 2011 Post Memory Corruption Memory Analysis PMCMA

Blackhat USA 2011 Post Memory Corruption Memory Analysis PMCMA

Blackhat USA 2011 Post Memory Corruption Memory Analysis PMCMA

Blackhat USA 2012 Hardware Backdooring is Practical

Blackhat USA 2012 Hardware Backdooring is Practical

Blackhat USA 2012 Hardware Backdooring is Practical

CCC 2012

CCC 2012

CCC 2012

Blackhat 2011 Post Memory Corruption Memory Analysis Whitepaper

Blackhat 2011 Post Memory Corruption Memory Analysis Whitepaper

Blackhat 2011 Post Memory Corruption Memory Analysis Whitepaper

Blackhat 2015 Filecry the new age of xxe

Blackhat 2015 Filecry the new age of xxe

Blackhat 2015 Filecry the new age of xxe

DEFCON 16 Bitlocker

DEFCON 16 Bitlocker

DEFCON 16 Bitlocker

DEFCON 20 Hardware Backdooring is Practical

DEFCON 20 Hardware Backdooring is Practical

DEFCON 20 Hardware Backdooring is Practical

DEFCON 24 Introduction-to-the-Witchcraft-Compiler-Collection

DEFCON 24 Introduction-to-the-Witchcraft-Compiler-Collection

DEFCON 24 Introduction-to-the-Witchcraft-Compiler-Collection

Blackhat 2011.WP

Blackhat 2011.WP

Blackhat 2011.WP

H2HC 2009

H2HC 2009

H2HC 2009

HackitoErgoSum 2010

HackitoErgoSum 2010

HackitoErgoSum 2010

H2HC 2010

H2HC 2010

H2HC 2010

H2HC 2013

H2HC 2013

H2HC 2013

HITB 2010 Amsterdam

HITB 2010 Amsterdam

HITB 2010 Amsterdam

TELECOMX 2009

TELECOMX 2009

TELECOMX 2009

HITB 2010 KualaLumpur

HITB 2010 KualaLumpur

HITB 2010 KualaLumpur

Auscert 2013 Hardware Backdooring

Auscert 2013 Hardware Backdooring

Auscert 2013 Hardware Backdooring

BSides San Francisco 2016 Witchcraft Compiler Collection

BSides San Francisco 2016 Witchcraft Compiler Collection

BSides San Francisco 2016 Witchcraft Compiler Collection

HITB 2011

HITB 2011

HITB 2011

HITB 2011 Breaking Virtualization 8088 mode

HITB 2011 Breaking Virtualization 8088 mode

HITB 2011 Breaking Virtualization 8088 mode

HackitoErgoSum 2010 Breaking Virtualization 8088 mode

HackitoErgoSum 2010 Breaking Virtualization 8088 mode

HackitoErgoSum 2010 Breaking Virtualization 8088 mode

H2HC 2013 Sandboxing

H2HC 2013 Sandboxing

H2HC 2013 Sandboxing

H2HC Breaking Preboot Authentication

H2HC Breaking Preboot Authentication

H2HC Breaking Preboot Authentication

Kiwicon 2011

Kiwicon 2011

Kiwicon 2011

NULLCON 2012

NULLCON 2012

NULLCON 2012

HITB 2011 PMCMA

HITB 2011 PMCMA

HITB 2011 PMCMA

NULLCON 2019

NULLCON 2019

NULLCON 2019

Syscan 2013 Sandboxing

Syscan 2013 Sandboxing

Syscan 2013 Sandboxing

WCC internal documentation

WCC internal documentation

WCC internal documentation

NoSuchCon Hardware Backdooring Is Practical

NoSuchCon Hardware Backdooring Is Practical

NoSuchCon Hardware Backdooring Is Practical

RUXCON 2010

RUXCON 2010

RUXCON 2010

Blackhat 2016 Witchcraft-Compiler-Collection User Manual

Blackhat 2016 Witchcraft-Compiler-Collection User Manual

Blackhat 2016 Witchcraft-Compiler-Collection User Manual

RUXCON 2011

RUXCON 2011

RUXCON 2011

HackitoErgoSum 2012

HackitoErgoSum 2012

HackitoErgoSum 2012

RUXCON 2012

RUXCON 2012

RUXCON 2012

RUXCON 2013

RUXCON 2013

RUXCON 2013

ClubHack 2008

ClubHack 2008

ClubHack 2008

blackhat2012

blackhat2012

blackhat2012

Associated Tools

Tools index

Index of all tools available for download

Index of miscellaneous low level tools (BIOS, debuggers, kernel code, exploits).

Witchcraft Compiler Collection (WCC) Repository

Witchcraft Compiler Collection (WCC) github repository

Latest codebase of the Witchcraft Compiler Collection.

PMCMA Repository

PMCMA github repository

Latest codebase of the Post Memory Corruption Memory Analyzer (PMCMA).

Witchcraft Compiler Collection (WCC) archive

Witchcraft Compiler Collection (WCC) zip archive

Local copy of the Witchcraft Compiler Collection.

PMCMA archive

PMCMA zip archive

Local copy of the Post Memory Corruption Memory Analyzer (PMCMA).

DEFCON 16 archive

DEFCON 16 zip archive

Local copy of the exploits and tools presented at DEFCON 16.

Press review

Global coverage